A Proposed Fix To the Microsoft Ireland Case

On Tuesday, I posted the Second Circuit’s denial of the petition for rehearing en banc in the Microsoft case and promised to write more. I have now done so (via Slate); the piece is here.

I write now to emphasize the three key points.

First, as stated previously, the result is that US law enforcement’s ability to access stored communications, via a warrant based on probable cause, depends exclusively on whether or not the data is located in the United States. (If yes, it can access it; if not no.) This is so, even if the alleged perpetrator victim, and witness are all U.S. based, and the only foreign government connection is that the relevant data happens to be held in its jurisdiction. In such a situation, the United States would have to make a formal request to access that data via the mutual legal assistance process and likely await months or more to get the data – if at all. And in most (if not all) cases, the foreign government will access the data pursuant to standards that are less privacy protective than a warrant based on probable cause.

This is an outcome that makes little sense, with costs to privacy, security, and the future growth of the Internet (in that it encourages data localization in response). In fact, this appears to be one thing that all sides of the case agree on. All five opinions issued in connection with the rehearing denial suggested that the result was unsatisfying and urged congressional action as a result. Even Brad Smith, the president and chief legal adviser of Microsoft, coupled his praise of the decision (after all, his side won) with a call for Congress to “modernize” the law—and thus modify the result in the case.

I couldn’t agree more.

Second, an appeal to and reversal by the Supreme Court also is an unsatisfactory solution. It would mean that U.S. warrant authority would extends to any data held by a U.S.-based company anywhere, without any limitation based on legitimate sovereignty concerns. What is to prevent other countries from asserting the same? The United States would—and should—be concerned if foreign governments started demanding that U.S. subsidiaries start directly produce U.S. person and resident data, rather than accessing that data via the mutual legal assistance process. And in fact some governments are making just such a move. Belgium courts have asserted the broad authority to compel the production of data, irrespective of the location of the target, data, or provider. U.K. law now explicitly provides for extraterritorial disclosure authority. Others are likely to follow suit.

This, too, is a concerning state of affairs—one that would almost certainly lead to a growing conflict of laws, with one nation asserting the authority to compel the production of sought-after data of foreign nationals and other governments prohibiting companies that operate in their jurisdiction from turning it over. This is not just an abstract concern. It puts U.S. companies and their employees at risk—subjecting them to hefty fines or even arrest for failure to comply and likely making it too costly for smaller start-ups to operate internationally. Meanwhile, nations are likely to compete to impose the most hefty penalty so as to ensure compliance with their own laws.

Third, as is obvious, an appropriate fix falls somewhere between what Microsoft pushed for in the case and what the government advocates in response. Specifically, Congress should make clear that U.S. law enforcement is, as a general matter, able to compel, via a warrant based on probable cause, U.S.-based providers to disclose communications content within their custody or control, regardless of where the data is located. But Congress also should ensure that the countervailing interests of sovereign states are taken into account. It should specify that if the warrant targets a non-U.S. person (meaning not a citizen or legal permanent resident) located outside the United States, the reviewing court must take into account potential foreign government’s interests—effectively requiring as a matter of statute what is now done as a matter of international law. In cases of conflict, the U.S. government should be required to make a mutual legal assistance request for the data, absent a finding of an urgent need for the data and absent a workable alternative for accessing the data in a timely matter.

Such an approach reflects the notion that the United States should be permitted to access, pursuant to a valid warrant, the stored communications of its citizens and residents in the investigation of criminal activity, regardless of where the data is located. This offers both a shield and a sword—ensuring that the relatively robust warrant requirement applies when the law enforcement seeks the data of U.S. citizens and residents and also guaranteeing that the government can access that data when the warrant standard is met. Such an approach also reflects the view that governments have a sovereign interest in controlling access to data of their citizens and residents—and that these interests need to be taken into account. It thus addresses the concerns about reciprocity that were raised by Judge Dennis Jacobs in his dissent to the denial of rehearing and that every lawmaker working on this issue should be taking into account.